74f8b830970f32d17af19f10296ed6e38a7ddcf37d83543a90ddaaba5533bf12

Resubmissions

30/09/2024, 15:45

240930-s63ktaxcrd 7

13/08/2024, 06:46

240813-hjq86aygqd 7

Analysis

max time kernel
140s
max time network
21s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 15:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

helper.exe
Size

1.8MB
MD5

c9f9eea209bb51ef39ca91e044a697a5
SHA1

3df695168bf8b2eaf91810ead2211a26933ea42e
SHA256

74f8b830970f32d17af19f10296ed6e38a7ddcf37d83543a90ddaaba5533bf12
SHA512

155a748d73c5fe988afbdd9fa9f5472bb338771fc4f8b1a708450211fe47bb1c10b5c106e987ee01a294c35a302a36f59233a20fb07a3986047f6e61578f8c92
SSDEEP

24576:6awwKusHwEwSDMn6Eeb5lbU7/cW29kdvDOq69IZao5nBnY71WK71QyE4BjLju:qwREDDMMbbocW2SdLOJ9IQo5hJWX/6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2880	helper.tmp

Loads dropped DLL 1 IoCs

pid	Process
2320	helper.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	helper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	helper.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2880	helper.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2880	2320	helper.exe	29
PID 2320 wrote to memory of 2880	2320	helper.exe	29
PID 2320 wrote to memory of 2880	2320	helper.exe	29
PID 2320 wrote to memory of 2880	2320	helper.exe	29
PID 2320 wrote to memory of 2880	2320	helper.exe	29
PID 2320 wrote to memory of 2880	2320	helper.exe	29
PID 2320 wrote to memory of 2880	2320	helper.exe	29

C:\Users\Admin\AppData\Local\Temp\helper.exe
"C:\Users\Admin\AppData\Local\Temp\helper.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\is-6UFR9.tmp\helper.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6UFR9.tmp\helper.tmp" /SL5="$401B2,948902,919552,C:\Users\Admin\AppData\Local\Temp\helper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-6UFR9.tmp\helper.tmp

Filesize
3.3MB

MD5
a15a06208b67487ac2eba3003ec9c8b8

SHA1
c7bfda5c0bffaece26d21e31e01bbbfe6b4dcb57

SHA256
b0aa7284cfca500d2f69dc0add1d5bdcc3f009190170c15f675d7642763a88af

SHA512
ea260ad45a31ac2a735e317500ef1fad030fbfc2659beba114538b1ace1b1442b440c0cb991654bdd015a2fb5fc52d30159aa948c2e6d0f076c4cce9696b5a05

Download Submit
memory/2320-0-0x0000000000E90000-0x0000000000F7E000-memory.dmp

Filesize
952KB

Download
memory/2320-2-0x0000000000E91000-0x0000000000F39000-memory.dmp

Filesize
672KB

Download
memory/2320-11-0x0000000000E90000-0x0000000000F7E000-memory.dmp

Filesize
952KB

Download
memory/2880-8-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2880-9-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2880-10-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2880-13-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2880-12-0x0000000000AB0000-0x0000000000DFE000-memory.dmp

Filesize
3.3MB

Download